Thousands of LG TVs Risk Hacker Takeover

On April 9, Bitdefender released a report revealing that 90,000+ LG TVs (as found by Shodan) could be commandeered unless they get a new security update for 4 critical vulnerabilities discovered last year. These vulnerabilities could let an attacker bypass security checks and gain complete control of the device.

Most of these TVs are in South Korea. A significant number was also found in Hong Kong, the US, Sweden, and Finland. To prevent the exploitation, LG made the security update available to all these devices under the Settings menu on April 10.

In November 2023, Bitdefender’s security research identified 4 vulnerabilities in WebOS versions 4 through 7 on LG TVs and reported them to LG. Although vulnerabilities were exploited by LAN access, they still pose serious threats.

The first vulnerability (CVE-2023-6317) allows a hacker to skip the usual security check and add a new user to the TV, bypassing the system’s authorization mechanism. Once added, this user can exploit a second vulnerability (CVE-2023-6318) to gain complete control over the TV, known as root access.

A third bug (CVE-2023-6319) involves a hacker manipulating part of the TV’s software that displays music lyrics to execute unauthorized commands. The fourth one (CVE-2023-6320) enables attackers to send authenticated commands through a specific part of the TV’s network service, allowing them further unauthorized access.

Ars Technica points out that the risks go beyond just a smart TV being hijacked. If a hacker accesses the accounts linked to the device, they could also get to user’s emails and financial details. In addition, the hacked devices could be used in crypto-mining operations or become part of a botnet.

Updating the TV to the latest software version is essential to ensure device safety. LG issued a security patch in its update on March 22. Most LG devices likely received this update automatically.

To update to the latest version of WebOS TV, navigate to Settings > Support > Software Update, and select “Check for Updates.” If available, choose “Download and Install.”